US9471916B2 - Wireless establishment of identity via bi-directional RFID - Google Patents

Wireless establishment of identity via bi-directional RFID Download PDF

Info

Publication number
US9471916B2
US9471916B2 US13/469,380 US201213469380A US9471916B2 US 9471916 B2 US9471916 B2 US 9471916B2 US 201213469380 A US201213469380 A US 201213469380A US 9471916 B2 US9471916 B2 US 9471916B2
Authority
US
United States
Prior art keywords
computing device
transceiver
security server
password
device data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related, expires
Application number
US13/469,380
Other versions
US20120222098A1 (en
Inventor
John R. Dingler
Frank C. FISK
Sri Ramanathan
Matthew A. TERRY
Matthew B. TREVATHAN
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Priority to US13/469,380 priority Critical patent/US9471916B2/en
Publication of US20120222098A1 publication Critical patent/US20120222098A1/en
Application granted granted Critical
Publication of US9471916B2 publication Critical patent/US9471916B2/en
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/327Short range or proximity payments by means of M-devices
    • G06Q20/3278RFID or NFC payments by means of M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/20Point-of-sale [POS] network systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0492Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload by using a location-limited connection, e.g. near-field communication or limited proximity of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0846Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3215Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a plurality of channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/102Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measure for e-commerce
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/08Access restriction or access information delivery, e.g. discovery data delivery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/16Discovering, processing access restriction or access information
    • H04W76/02
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/26Network addressing or numbering for mobility support
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/08Access point devices

Definitions

  • the present invention generally relates to a method, a system, and a computer program product for wireless establishment of identity, and more particularly, to a method, a system, and a computer program product for wireless establishment of identity via bi-directional radio-frequency identification (RFID).
  • RFID radio-frequency identification
  • the credit card or the debit card is the payment system of choice of consumers for their secure transactions.
  • the credit card or the debit card may store and transfer data, such as a consumer's name, card number, and card expiration date, to a payment terminal.
  • This card information is utilized by the payment terminal to electronically verify that the card is valid and that the consumer has sufficient money to purchase an item. Once the card and the consumer is verified, the payment terminal may complete the purchase by electronically sending the purchase information to the consumer's and a vendor's bank.
  • credit card or debit card security relies on the physical security of the card itself and the privacy of the card number and expiration date. For example, if a consumer loses his or her card, the card may be used by someone else and, thus, the security of the card may be compromised. In another example, a card number may be easily stolen at the time of purchase by a unscrupulous vendor, and at the time of electronic verification and/or data transfer. The latter instance has been especially rampant with the rise of Internet commerce coupled with the rise of Internet data hackers.
  • credit or debit cards can be inconvenient in certain scenarios. For instance, many vendors take only a few certain brands of credit or debit cards, and unless a consumer has a credit or debit card required by a vendor, he or she may be able to make a purchase with a credit or debit card. Credit or debit card convenience also relies on a consumer physically having the card at the time of purchase, instead of being left at his or her home or office. In yet another example, a magnetic stripe of a card may wear down over repeated use over time. Thus, there is a need for a method and a system that allows for more secure and convenient transactions than those using credit or debit cards.
  • a method is implemented in a computer infrastructure having computer executable code tangibly embodied on a computer readable storage medium having programming instructions operable for sending device data including at least a username and a password to a transceiver.
  • the method also includes receiving an identifier of an access point in a wireless network from the transceiver, the transceiver sending the device data to the access point via a security server.
  • the device data is sent to the access point based on the identifier of the access point, the access point establishing a secure connection to the computer infrastructure based on the device data received from the transceiver and the computer infrastructure.
  • a system in hardware, including a computing device operable to send device data including at least a username and a password to a transceiver.
  • the computing device is also operable to receive an Internet Protocol (IP) address of a security server accessed via a cellular network from the transceiver, the transceiver being operable to send the device data to the security server.
  • IP Internet Protocol
  • the device data is sent to the security server based on the IP address of the security server, the security server being operable to establish a secure connection to the computing device based on the device data received from the transceiver and the computing device.
  • a computer program product includes a computer usable storage medium having readable program code embodied in the storage medium, the computer program product includes at least one component operable to send device data including at least a username and a password to a transceiver.
  • the at least one component is also operable to receive from the transceiver an Internet Protocol (IP) address of a security server accessed via a cellular network, the transceiver sending the device data to the security server.
  • IP Internet Protocol
  • the device data is sent to the security server based on the IP address of the security server, the security server establishing a secure connection to the at least one component based on the device data received from the transceiver and the at least one component.
  • IP Internet Protocol
  • a method of deploying a system for establishing a secure connection between a computer infrastructure and a wireless network includes providing the computer infrastructure, being operable to send device data including at least a username and a password to a transceiver.
  • the computer infrastructure is also operable to receive an identifier of an access point in the wireless network from the transceiver, the transceiver sending the device data to the access point via a security server.
  • the device data is sent to the access point based on the identifier of the access point, the access point establishing the secure connection to the computer infrastructure based on the device data received from the transceiver and the computer infrastructure.
  • a computer system for establishing a secure connection between the computer system and a wireless network includes a CPU, a computer readable memory and a computer readable storage media.
  • the computer system also includes first program instructions to send device data including at least a username and a password to a transceiver.
  • the computer system further includes second program instructions to receive an identifier of an access point in the wireless network from the transceiver, the transceiver sending the device data to the access point via a security server.
  • Third program instructions send the device data to the access point based on the identifier of the access point, the access point establishing the secure connection to the computer system based on the device data received from the transceiver and the computer system.
  • the first, second and third program instructions are stored on the computer readable storage media for execution by the CPU via the computer readable memory.
  • the computer system additionally includes a bi-directional radio-frequency identification (RFID) chip including a shared memory, and the sending of the device data to the transceiver is performed when the computer system is within a range of the transceiver.
  • RFID radio-frequency identification
  • the access point establishes the secure connection when the device data from the transceiver matches the device data from the computer system.
  • FIG. 1 shows an illustrative environment for implementing steps in a wireless network in accordance with aspects of the invention
  • FIG. 2 shows another illustrative environment for implementing steps in a cellular network in accordance with aspects of the invention
  • FIG. 3 shows an exemplary swim lane diagram implementing steps in a wireless network in accordance with aspects of the invention
  • FIG. 4 shows another exemplary swim lane diagram implementing steps in a cellular network in accordance with aspects of the invention.
  • FIG. 5 shows another exemplary swim lane diagram implementing steps in a wireless network in accordance with aspects of the invention.
  • the present invention generally relates to method, a system, and a computer program product for wireless establishment of identity, and more particularly, to a method, a system, and a computer program product for wireless establishment of identity via bi-directional radio-frequency identification (RFID). More specifically, the invention is directed to using a bi-directional RFID chip or tag to establish connectivity between two entities (i.e., a wireless device and a wireless network), negotiate a connection mechanism, and transmit secure information, such as personal data, conveniently, safely, and securely.
  • the bi-directional RFID utilizes radio waves to perform these processes.
  • the invention provides a secure method for temporary authentication by including the bi-directional RFID with a pseudo random username and password generator.
  • the invention may also provide a method for secure transmission by including the bi-directional RFID with public key encryption.
  • the present invention includes first establishing a user name and password pairing that can be manipulated by a wireless device and placed in a shared memory of a bi-directional RFID in the wireless device.
  • the user name and password pairing is then transferred via the short-range, bi-directional RFID to, for example, a Remote Authentication Dial In User Service (RADIUS) server that allows the wireless device temporary logon to a wireless network, using secure wireless channels and/or Secure Sockets Layer (SSL) for encrypted communication.
  • RADIUS Remote Authentication Dial In User Service
  • SSL Secure Sockets Layer
  • the wireless device can connect to the wireless network conveniently and safely via the short-range proximity verification of RFID, and can transmit data to the wireless network securely over, for instance, wireless SSL.
  • aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
  • the computer readable medium may be a computer readable signal medium or a computer readable storage medium.
  • a computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
  • a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
  • a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof.
  • a computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
  • Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
  • Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages.
  • the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
  • the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
  • LAN local area network
  • WAN wide area network
  • Internet Service Provider for example, AT&T, MCI, Sprint, EarthLink, MSN, GTE, etc.
  • These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
  • the computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • FIG. 1 shows an illustrative environment 10 for managing the processes in accordance with the invention.
  • the environment 10 includes a computing device 14 that can perform the processes described herein.
  • the computing device 14 also includes a processor 20 , memory 22 A, an I/O interface 24 , and a bus 26 .
  • the memory 22 A can include local memory employed during actual execution of program code, bulk storage, and cache memories which provide temporary storage of at least some program code in order to reduce the number of times code must be retrieved from bulk storage during execution.
  • the computing device includes random access memory (RAM), a read-only memory (ROM), and an operating system (O/S).
  • the memory (e.g., 22 A) may store business intelligence, data mining, regression analysis and/or modeling and simulation tools for execution by the processor 20 .
  • the computing device 14 is in communication with the external I/O device/resource 28 and the storage system 22 B.
  • the I/O device 28 can comprise any device that enables an individual to interact with the computing device 14 (e.g., user interface) or any device that enables the computing device 14 to communicate with one or more other computing devices using any type of communications link.
  • the external I/O device/resource 28 may be for example, a handheld device, PDA, handset, keyboard etc.
  • the processor 20 executes computer program code (e.g., program control 44 ), which can be stored in the memory 22 A and/or storage system 22 B. Moreover, in accordance with aspects of the invention, the program control 44 controls a short-range, bi-directional RFID 105 chip or tag including a shared memory 110 . While executing the computer program code, the processor 20 can read and/or write data to/from memory 22 A, storage system 22 B, and/or I/O interface 24 .
  • the program code executes the processes of the invention, for example, using the RFID 105 to establish identity of the computing device 14 , establish connectivity between the computing device 14 and another entity, negotiate a connection mechanism, and transmit secure information.
  • the bus 26 provides a communications link between each of the components in the computing device 14 .
  • the computing device 14 can comprise any general purpose computing article of manufacture capable of executing computer program code installed thereon (e.g., a personal computer, server, etc.). However, it is understood that the computing device 14 is only representative of various possible equivalent-computing devices that may perform the processes described herein. To this extent, in embodiments, the functionality provided by the computing device 14 can be implemented by a computing article of manufacture that includes any combination of general and/or specific purpose hardware and/or computer program code. In each embodiment, the program code and hardware can be created using standard programming and engineering techniques, respectively.
  • the computing device 14 is further in communication with an 802.11 wireless LAN (“802.11”) chip and a 3 rd Generation (“3G”) chip, and/or a signal circuit 115 .
  • the 802.11 chip and the 3G chip allow the computing device 14 to communicate with other devices in an 802.11 network and a 3G cellular network, respectively.
  • data on the computing device 14 may be transferred from the memory 22 A, processed via the processor 20 and any one of the chips into a signal of the corresponding standard (e.g., the 802.11 standard), and transferred to the other devices via an antenna (not shown) of the computing device 14 .
  • the signal circuit 115 allows the computing device 14 to communicate with the other devices via the short-range, bi-directional RFID 105 including the shared memory 110 . For instance, the signal circuit 115 checks for changes in voltage of an induction antenna of the RFID 105 . When there is such a change, the signal circuit 115 is triggered to send an interrupt signal to the processor 20 to inform the processor 20 that the RFID 105 has received a voltage load from the induction antenna.
  • the RFID 105 is an integrated circuit that processes and stores data in the shared memory 110 , and that receives and transmits RF signals via induction of the induction antenna.
  • the RFID 105 is in communication with the program control 44 and/or the memory 22 A to transfer data between these components.
  • the RFID 105 is capable of reading and transferring data from the shared memory 110 .
  • the computing device 14 further includes a random user/password generator 120 .
  • the random user/password generator 120 generates a temporary user name and a temporary password that is transferred to the shared memory 110 of the RFID 105 .
  • the shared memory 110 stores the user name and the password.
  • the environment 10 further includes a transceiver 125 , a security server 130 , and an access point 135 .
  • the transceiver 125 is a passive, bi-directional RFID chip or reader of another computing device or object.
  • the transceiver 125 can receive and transmit RF signals to and from the RFID 105 of the computing device 14 .
  • the transceiver 125 is a point or location where a user initiates a process of securing a connection to a wireless or cellular network to exchange secure information with at least one entity in the wireless or cellular network.
  • the transceiver 125 is in communication with the security server 130 , and signals may be transferred between the transceiver 125 and the security server 130 .
  • the security server 130 is a server such as a RADIUS server that stores valid credentials (e.g., a username and a password) that are allowed to connect to a wireless or cellular network.
  • the security server 130 is in communication with the transceiver 125 and the access point 135 , and signals may be transferred between the security server 130 and the transceiver 125 , and the security server 130 and the access point 135 .
  • the security server 130 may receive a username and a password of a computing device (e.g., the computing device 14 ) from the transceiver 125 , and grant the computing device access to a wireless or cellular network.
  • the security server 130 may then transfer the username and the password to the access point 135 and/or inform the access point 135 that the computing device 14 has been authenticated to have access to the wireless or cellular network.
  • the access point 135 is a computing device or a server that provides access to a secure wireless network requiring authentication of user devices requesting access to the network. Once a user device is authenticated for access to the wireless network, the access point 135 routes data between the authenticated user device and devices on the wireless network. As discussed above, the access point 135 may also be in communication with the security server 130 to receive the username and the password of the user device and/or confirmation that the security server 130 has authenticated the user device to have access to the wireless network.
  • the computing device 14 may conveniently and safely establish its identity, establish connectivity with another computing device or server in a wireless network, and transmit secure information including personal data.
  • a user of the computing device 14 e.g., a mobile device
  • the user and the location may desire that these cash transactions be quick and easy, yet secure.
  • the computing device 14 in the environment 10 within the location the user may walk up to a terminal including the transceiver 125 .
  • the computing device 14 When the computing device 14 is within a range of the transceiver 125 , the computing device 14 automatically initiates communication with the terminal via the RFID 105 and the transceiver 125 , to begin a process of securely connecting to a wireless network of the location.
  • the passive, bi-directional RFID of the transceiver 125 receives device data from the RFID 105 of the computing device via induction of the antenna of the RFID 105 over close proximity.
  • the device data may include the temporary username and the temporary password generated by the random user/password generator 120 of the computing device 14 and stored in the shared memory 110 of the RFID 105 .
  • the device data may include a username and a password defined by the user via the I/O device 28 .
  • the device data may further include a geographical location of the computing device 14 determined by a Global Positioning System (GPS) chip (not shown) in the computing device 14 . The location may be in, for example, units of latitude and longitude.
  • the device data may include an 802.11 Media Access Control (MAC) address of the computing device 14 and/or an ID number of a terminal including the transceiver 125 .
  • MAC Media Access Control
  • the transceiver 125 may also acknowledge receipt of the device data from the computing device 14 .
  • the transceiver 125 may return to the computing device 14 a Service Set identifier (SSID) that identifies the wireless network of the location, specifically, the access point 135 .
  • SSID Service Set identifier
  • the transceiver 125 then sends device data from the computing device 14 to the security server 130 , which grants the computing device 14 access to the wireless network for a fixed duration of time and stores the device data.
  • the security server 130 may be the component that returns the SSID of the access point 135 to the computing device 14 via the transceiver 125 .
  • the security sever 130 may forward the device data to the access point 135 and/or inform the access point 135 that the computing device 14 has been authenticated to have access to the wireless network. In response, the access point 135 may also grant the computing device 14 access to the wireless network.
  • the computing device 14 may prompt the user to acknowledge the initiation of the secure connection with the location for the fixed duration of time.
  • This prompt may include, for example, an “OK” button along with a note regarding the initiation of the secure connection, and may be presented to the user via an application program interface. If the user acknowledges the initiation, then the computing device 14 may connect to the access point 135 using the provided SSID and transmit the device data to the access point 135 .
  • the prompt allows the user to verify that he or she desires to connect to the wireless network before transmitting secure information.
  • the computing device 14 may automatically connect to the access point 135 without user acknowledgment, thereby making the connection and/or the transaction between the user and the wireless network completely automatic for convenience.
  • the access point 135 completes a secure connection or communications channel to the computing device 14 based on the received device data and/or information from the computing device 14 and/or the security server 130 . For instance, the access point 135 may authenticate that a temporary username and password received from the computing device 14 matches the temporary username and password received from the security server 130 before establishing the secure connection. In embodiments, the access point 135 may assure that a device location and/or a 802.11 MAC address received from the computing device 14 matches the corresponding data received from the security server 130 . In additional embodiments, the secure connection may be over SSL-encrypted communications channels to ensure a higher level of security.
  • the user is able to use the computing device 14 to securely perform cash transactions, such as purchasing an item. That is, the user has the ability to communicate (e.g., provide purchase information, receive purchase receipts) with the wireless network over the secure connection.
  • the authenticating of the computing device 14 at the security server 130 and the access point 135 enhances the security of the present invention by ensuring that the computing device 14 is not switched with another mobile device and that the device data is not captured by another mobile device during the connection process.
  • the present invention provides the added convenience of using the bi-directional RFID 105 and the transceiver 125 to initiate cash transactions.
  • a user can make a purchase anywhere at a location (e.g., at various terminals including RFID transceivers within the location) without having to establish the secure connection.
  • the user may use the computing device 14 to purchase drinks from a vending machine, and/or to pay for lunch with an “express” line terminal.
  • a user may walk up to a point of sale (POS) and enter a unique code from the POS into a user device to communicate to the POS over the existing secure connection.
  • the POS is a location where a sale transaction occurs and may include a terminal or computing device including hardware and software.
  • the POS is connected to a wireless network and may be accessed via an access point (e.g., 135 in FIG. 1 ).
  • the POS receives the user's purchase information (e.g., credit card information) and indicates to the user that payment has been received.
  • a user can use an existing secure connection to enter a bid from a mobile device, and the POS could validate the bid against the user's credit limit and receive the user's purchase information.
  • the computing device 14 and/or the security server 130 may set an expiration time for the temporary username and the temporary password generated by the random user/password generator 120 . This forces the user to re-authenticate his or her mobile device by re-initiating the connection process with the transceiver 125 of the terminal.
  • having to regenerate the username and password after they expire ensures that the username and password are not kept as a standard username and password that may be stolen, which further enhances the security of the present invention.
  • the computing device 14 can block the random generation of the username and the password for a predetermined duration of time. For example, the computing device 14 may place an expiration flag on the current username and password that prevents them from being changed for one minute. This function is important for when the computing device 14 is communicating to the transceiver 125 and allows the computing device 14 to establish the secure connection with the access point 135 without having the username and password changed in the middle of the process.
  • FIG. 2 shows another illustrative environment 200 for managing the processes in a cellular network in accordance with the invention.
  • the computing device 14 includes the elements of FIG. 1 , in addition to a key generator 205 .
  • the key generator 205 generates a public key for encrypting data and a private key for decrypting data.
  • the public key and the private key may be generated and may decrypt and encrypt using, for example, the Rivest, Shamir, and Adleman (RSA) process or other cryptography processes known to those of skill in the art.
  • the public key and the private key are transferred to the shared memory 110 of the RFID 105 , and the shared memory 110 stores the public key and the private key.
  • These keys may be stored on a keyring for the specific cellular network 210 , along with the temporary username and password generated by the random user/password generator 120 that may also be stored on the keyring.
  • This allows a user to store a username and password for use with a specific transceiver and allows the user's device to share a public key with the specific transceiver during the connection process.
  • the shared public key can be used to encrypt data transferred between at least the specific transceiver and the user's device during later connections between the two components, for added security.
  • the environment 200 includes an external cellular network 210 that provides a secure connection or communications channel from the computing device to a location or another computing device within the cellular network 210 .
  • the another computing device may be a mobile device or a terminal in the cellular network 210 , and the another computing device may be capable of communicating over the SSL protocol and, thus, secure, SSL-encrypted connections.
  • the cellular network 210 may also be in communication with the security server 130 to receive the device data and/or confirmation that the security server 130 has authenticated the user device to have access to the cellular network.
  • the computing device 14 may conveniently and safely establish its identity, establish connectivity with another computing device or server in the cellular network 210 , and transmit secure information including personal data.
  • a user of the computing device 14 e.g., a mobile device
  • the computing device 14 When the computing device 14 is within a range of the transceiver 125 , the computing device 14 automatically initiates communication with the transceiver 125 via the RFID 105 , to begin a process of securely connecting to a cellular network of the location.
  • the passive, bi-directional RFID of the transceiver 125 receives the device data from the RFID 105 of the computing device via induction of the antenna of the RFID 105 over close proximity.
  • the device data may include the temporary username and the temporary password and the location of the computing device 14 .
  • the device data may further include the public key generated by the key generator 205 and stored in the shared memory 110 of the RFID 105 .
  • the shared public key may be used to encrypt data transferred between the components that receive the public key during later connections between the components, for added security.
  • the transceiver 125 may also acknowledge receipt of the device data from the computing device 14 .
  • the transceiver 125 may return to the computing device 14 an external Internet Protocol (IP) address of the security server 130 .
  • IP Internet Protocol
  • the computing device 14 may use this external IP address to connect to the security server 130 via the external cellular network 210 .
  • the transceiver 125 then sends device data from the computing device 14 to the security server 130 , which stores the device data.
  • the security server 130 may use the device data to grant the computing device 14 access to the cellular network 210 for a fixed duration of time.
  • the transceiver 125 may validate whether the computing device 14 is at a same location as the location received in the device data, to ensure that the computing device 14 has not moved out of the range of the transceiver 125 . To perform the validation, the transceiver 125 may determine a location of the computing device 14 using a GPS chip in the transceiver 125 . If the location of the computing device 14 cannot be validated, then the transceiver 125 may return a location validation failure message to the computing device 14 , which then terminates the connection to the transceiver 125 . If the location of computing device 14 is validated, then the connection process continues.
  • the security server 130 may be the component that returns its external IP address to the computing device 14 via the transceiver 125 .
  • the security sever 130 may forward the device data to the another device within the cellular network 210 and/or inform the another device within the cellular network 210 that the computing device 14 has been authenticated to have access to the cellular network.
  • the security server 130 may validate the location of the computing device 14 received in the device data, in addition to or in alternative of the transceiver 125 .
  • the computing device 14 may prompt the user to acknowledge the initiation of the secure connection with the cellular network for the fixed duration of time. If the user acknowledges the initiation, then the computing device 14 may connect to the security server 130 via the external cellular network 210 using the provided external IP address of the security server 130 , and transmit the device data to the security server 130 .
  • the security server 130 completes a secure, SSL-encrypted connection or communications channel to the computing device 14 via the cellular network 210 based on the received device data. For instance, the security server 130 may authenticate that a temporary username and password received from the computing device 14 matches the temporary username and password received from the transceiver 125 before establishing the secure connection.
  • FIGS. 3-5 show exemplary swim lane diagrams for performing aspects of the present invention.
  • Swim lane” diagrams may be used to show the relationship between the various “components” or “players” in the processes and to define the steps involved in the processes.
  • the steps of FIGS. 3 and 5 may be implemented in the environment of FIG. 1
  • the steps of FIG. 4 may be implemented in the environment of FIG. 2 , for example.
  • each block in the swim lane or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s).
  • the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
  • each block of the block diagrams and/or swim lane diagrams, and combinations of blocks in the block diagrams and/or swim lane diagrams can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
  • the invention can take the form of a computer program product accessible from a computer-usable or computer-readable medium providing program code for use by or in connection with a computer or any instruction execution system.
  • the software and/or computer program product can be implemented in the environment of FIG. 1 or 2 .
  • a computer-usable or computer readable medium can be any apparatus that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
  • the medium can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation medium.
  • Examples of a computer-readable storage medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk and an optical disk.
  • Current examples of optical disks include compact disk-read only memory (CD-ROM), compact disc-read/write (CD-R/W) and DVD.
  • FIG. 3 depicts an exemplary swim lane diagram 300 for a process in a wireless network in accordance with aspects of the present invention.
  • the swim diagram 300 includes four swim lanes 305 , 310 , 315 , and 320 .
  • the swim lane 305 shows actions performed by a computing device (e.g., 14 in FIG. 1 )
  • the swim lane 310 shows actions performed by a transceiver (e.g., 125 )
  • the swim lane 315 shows actions performed by a RADIUS server (e.g., a security server 130 )
  • the swim lane 320 shows actions performed by an access point (e.g., 135 ).
  • the process begins. This step may include, for example, the computing device being brought within a range of the transceiver to initiate the process, and the computing device sending device data including a temporary username and password to the transceiver.
  • the transceiver receives the device data from the computing device.
  • the transceiver acknowledges the receipt of the device data from the computing device.
  • the transceiver returns a SSID of the access point to the computing device.
  • the transceiver sends the device data to the RADIUS server.
  • the RADIUS server grants the computing device access to the wireless network and may forward the device data to the access point.
  • the access point grants the computing device access to the wireless network.
  • the computing device prompts the user to acknowledge the initiation of establishing a secure connection to the wireless network.
  • the computing device connects to the access point using the provided SSID of the access point and may send the device data to the access point for authentication and/or verification of the device data.
  • the access point completes the secure connection to the computing device after authenticating or verifying the device data, and as a result, the computing device can securely communicate with the wireless network.
  • FIG. 4 depicts another exemplary swim lane diagram 400 for a process in a cellular network in accordance with aspects of the present invention.
  • the swim diagram 400 includes three swim lanes 405 , 410 , and 415 .
  • the swim lane 405 shows actions performed by a computing device (e.g., 14 in FIG. 2 )
  • the swim lane 410 shows actions performed by a transceiver (e.g., 125 )
  • the swim lane 415 shows actions performed by a security server (e.g., 130 ).
  • the process begins. This step may include, for example, the computing device being brought within a range of the transceiver to initiate the process, and the computing device sending device data including a temporary username and password to the transceiver.
  • the transceiver receives the device data from the computing device.
  • the transceiver acknowledges the receipt of the device data from the computing device.
  • the transceiver validates whether a location of the computing device is the same as the location received in the device data. If the location of the computing device fails this validation test, then at step 440 , the computing device receives a location validation failure message from the transceiver and terminates a connection to the transceiver. If the location of the computing device fails the validation step, then at step 445 , the transceiver returns to the computing device an external IP address of the security server.
  • the security server receives the device data from the transceiver.
  • the computing device sends the device data to the transceiver via the provided external IP address of the security server.
  • the device data is used by the security server to authenticate and establish a secure connection between the computing device and the security server over a SSL-encrypted communications channel.
  • the security server establishes the secure connection to the computing device based on the received device data from the transceiver and the computing device, and this process of the invention ends. This secure connection between the security server and the computing device allows for a secure connection between the computing device and the cellular network.
  • FIG. 5 depicts another exemplary swim lane diagram 500 for another process in a wireless network in accordance with aspects of the present invention.
  • the swim diagram 500 includes four swim lanes 505 , 510 , 515 , and 520 .
  • the swim lane 505 shows actions performed by a computing device (e.g., 14 in FIG. 1 )
  • the swim lane 510 shows actions performed by a transceiver (e.g., 125 )
  • the swim lane 515 shows actions performed by a security server (e.g., 130 )
  • the swim lane 520 shows actions performed by a POS.
  • the process begins. This step may include, for example, the computing device being brought within a range of the transceiver to initiate the process, and the computing device sending device data including a temporary username and password to the transceiver.
  • the transceiver receives the device data from the computing device.
  • the transceiver acknowledges the receipt of the device data from the computing device.
  • the transceiver sends the device data to the security server.
  • the security server returns an SSID of an access point of the wireless network for the computing device to the transceiver.
  • the transceiver forwards the SSID of the access point to the computing device.
  • the computing device sends the device data to the POS via the access point with the provided SSID for authentication and/or verification of the device data.
  • the POS establishes a secure connection to the computing device via the access point with the provided SSID after authenticating and/or verifying the device data.
  • the POS may establish the secure connection based on a previously-established SSL communications channel with the computing device.
  • the computing device sends purchase information (e.g., credit card information) to the POS.
  • the POS completes the purchase of an item.
  • the POS indicates to the user that payment has been received by returning a purchase receipt to the computing device.
  • the computing device indicates to the user that payment has been made by, for example, presenting the purchase receipt to the user via a user interface (e.g., the I/O device 28 ), and this process of the present invention ends.
  • a user interface e.g., the I/O device 28
  • a service provider such as a Solution Integrator, could offer to perform the processes described herein.
  • the service provider can create, maintain, deploy, support, etc., the computer infrastructure that performs the process steps of the invention for one or more customers. These customers may be, for example, any business that uses technology.
  • the service provider can receive payment from the customer(s) under a subscription and/or fee agreement and/or the service provider can receive payment from the sale of advertising content to one or more third parties.

Abstract

A method, a system, and a computer program product are provided for wireless establishment of identity via bi-directional radio-frequency identification (RFID). The method is implemented in a computer infrastructure having computer executable code tangibly embodied on a computer readable storage medium having programming instructions operable for sending device data including at least a username and a password to a transceiver. The method also includes receiving an identifier of an access point in a wireless network from the transceiver, the transceiver sending the device data to the access point via a security server. The device data is sent to the access point based on the identifier of the access point, the access point establishing a secure connection to the computer infrastructure based on the device data received from the transceiver and the computer infrastructure.

Description

CROSS REFERENCE TO RELATED APPLICATIONS
The present application is a divisional application of co-pending U.S. application Ser. No. 12/953,801 filed on Nov. 24, 2010, the contents of which are incorporated by reference in its entirety herein.
FIELD OF THE INVENTION
The present invention generally relates to a method, a system, and a computer program product for wireless establishment of identity, and more particularly, to a method, a system, and a computer program product for wireless establishment of identity via bi-directional radio-frequency identification (RFID).
BACKGROUND
The credit card or the debit card is the payment system of choice of consumers for their secure transactions. Using its magnetic stripe, the credit card or the debit card may store and transfer data, such as a consumer's name, card number, and card expiration date, to a payment terminal. This card information is utilized by the payment terminal to electronically verify that the card is valid and that the consumer has sufficient money to purchase an item. Once the card and the consumer is verified, the payment terminal may complete the purchase by electronically sending the purchase information to the consumer's and a vendor's bank.
However, credit card or debit card security relies on the physical security of the card itself and the privacy of the card number and expiration date. For example, if a consumer loses his or her card, the card may be used by someone else and, thus, the security of the card may be compromised. In another example, a card number may be easily stolen at the time of purchase by a unscrupulous vendor, and at the time of electronic verification and/or data transfer. The latter instance has been especially rampant with the rise of Internet commerce coupled with the rise of Internet data hackers.
In addition, credit or debit cards can be inconvenient in certain scenarios. For instance, many vendors take only a few certain brands of credit or debit cards, and unless a consumer has a credit or debit card required by a vendor, he or she may be able to make a purchase with a credit or debit card. Credit or debit card convenience also relies on a consumer physically having the card at the time of purchase, instead of being left at his or her home or office. In yet another example, a magnetic stripe of a card may wear down over repeated use over time. Thus, there is a need for a method and a system that allows for more secure and convenient transactions than those using credit or debit cards.
SUMMARY
In a first aspect of the invention, a method is implemented in a computer infrastructure having computer executable code tangibly embodied on a computer readable storage medium having programming instructions operable for sending device data including at least a username and a password to a transceiver. The method also includes receiving an identifier of an access point in a wireless network from the transceiver, the transceiver sending the device data to the access point via a security server. The device data is sent to the access point based on the identifier of the access point, the access point establishing a secure connection to the computer infrastructure based on the device data received from the transceiver and the computer infrastructure.
In another aspect of the invention, a system is implemented in hardware, including a computing device operable to send device data including at least a username and a password to a transceiver. The computing device is also operable to receive an Internet Protocol (IP) address of a security server accessed via a cellular network from the transceiver, the transceiver being operable to send the device data to the security server. The device data is sent to the security server based on the IP address of the security server, the security server being operable to establish a secure connection to the computing device based on the device data received from the transceiver and the computing device.
In an additional aspect of the invention, a computer program product includes a computer usable storage medium having readable program code embodied in the storage medium, the computer program product includes at least one component operable to send device data including at least a username and a password to a transceiver. The at least one component is also operable to receive from the transceiver an Internet Protocol (IP) address of a security server accessed via a cellular network, the transceiver sending the device data to the security server. The device data is sent to the security server based on the IP address of the security server, the security server establishing a secure connection to the at least one component based on the device data received from the transceiver and the at least one component.
In another aspect of the invention, a method of deploying a system for establishing a secure connection between a computer infrastructure and a wireless network, includes providing the computer infrastructure, being operable to send device data including at least a username and a password to a transceiver. The computer infrastructure is also operable to receive an identifier of an access point in the wireless network from the transceiver, the transceiver sending the device data to the access point via a security server. The device data is sent to the access point based on the identifier of the access point, the access point establishing the secure connection to the computer infrastructure based on the device data received from the transceiver and the computer infrastructure.
In an additional aspect of the invention, a computer system for establishing a secure connection between the computer system and a wireless network, includes a CPU, a computer readable memory and a computer readable storage media. The computer system also includes first program instructions to send device data including at least a username and a password to a transceiver. The computer system further includes second program instructions to receive an identifier of an access point in the wireless network from the transceiver, the transceiver sending the device data to the access point via a security server. Third program instructions send the device data to the access point based on the identifier of the access point, the access point establishing the secure connection to the computer system based on the device data received from the transceiver and the computer system. The first, second and third program instructions are stored on the computer readable storage media for execution by the CPU via the computer readable memory. The computer system additionally includes a bi-directional radio-frequency identification (RFID) chip including a shared memory, and the sending of the device data to the transceiver is performed when the computer system is within a range of the transceiver. The access point establishes the secure connection when the device data from the transceiver matches the device data from the computer system.
BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS
The present invention is described in the detailed description which follows, in reference to the noted plurality of drawings by way of non-limiting examples of exemplary embodiments of the present invention.
FIG. 1 shows an illustrative environment for implementing steps in a wireless network in accordance with aspects of the invention;
FIG. 2 shows another illustrative environment for implementing steps in a cellular network in accordance with aspects of the invention;
FIG. 3 shows an exemplary swim lane diagram implementing steps in a wireless network in accordance with aspects of the invention;
FIG. 4 shows another exemplary swim lane diagram implementing steps in a cellular network in accordance with aspects of the invention; and
FIG. 5 shows another exemplary swim lane diagram implementing steps in a wireless network in accordance with aspects of the invention.
 DETAILED DESCRIPTION
The present invention generally relates to method, a system, and a computer program product for wireless establishment of identity, and more particularly, to a method, a system, and a computer program product for wireless establishment of identity via bi-directional radio-frequency identification (RFID). More specifically, the invention is directed to using a bi-directional RFID chip or tag to establish connectivity between two entities (i.e., a wireless device and a wireless network), negotiate a connection mechanism, and transmit secure information, such as personal data, conveniently, safely, and securely. The bi-directional RFID utilizes radio waves to perform these processes. In implementation, the invention provides a secure method for temporary authentication by including the bi-directional RFID with a pseudo random username and password generator. In embodiments, the invention may also provide a method for secure transmission by including the bi-directional RFID with public key encryption.
In operation, the present invention includes first establishing a user name and password pairing that can be manipulated by a wireless device and placed in a shared memory of a bi-directional RFID in the wireless device. The user name and password pairing is then transferred via the short-range, bi-directional RFID to, for example, a Remote Authentication Dial In User Service (RADIUS) server that allows the wireless device temporary logon to a wireless network, using secure wireless channels and/or Secure Sockets Layer (SSL) for encrypted communication. Advantageously, the wireless device can connect to the wireless network conveniently and safely via the short-range proximity verification of RFID, and can transmit data to the wireless network securely over, for instance, wireless SSL.
System Environment
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
Aspects of the present invention are described below with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
FIG. 1 shows an illustrative environment 10 for managing the processes in accordance with the invention. To this extent, the environment 10 includes a computing device 14 that can perform the processes described herein. The computing device 14 also includes a processor 20, memory 22A, an I/O interface 24, and a bus 26. The memory 22A can include local memory employed during actual execution of program code, bulk storage, and cache memories which provide temporary storage of at least some program code in order to reduce the number of times code must be retrieved from bulk storage during execution. In addition, the computing device includes random access memory (RAM), a read-only memory (ROM), and an operating system (O/S). The memory (e.g., 22A) may store business intelligence, data mining, regression analysis and/or modeling and simulation tools for execution by the processor 20.
The computing device 14 is in communication with the external I/O device/resource 28 and the storage system 22B. For example, the I/O device 28 can comprise any device that enables an individual to interact with the computing device 14 (e.g., user interface) or any device that enables the computing device 14 to communicate with one or more other computing devices using any type of communications link. The external I/O device/resource 28 may be for example, a handheld device, PDA, handset, keyboard etc.
In general, the processor 20 executes computer program code (e.g., program control 44), which can be stored in the memory 22A and/or storage system 22B. Moreover, in accordance with aspects of the invention, the program control 44 controls a short-range, bi-directional RFID 105 chip or tag including a shared memory 110. While executing the computer program code, the processor 20 can read and/or write data to/from memory 22A, storage system 22B, and/or I/O interface 24. The program code executes the processes of the invention, for example, using the RFID 105 to establish identity of the computing device 14, establish connectivity between the computing device 14 and another entity, negotiate a connection mechanism, and transmit secure information. The bus 26 provides a communications link between each of the components in the computing device 14.
The computing device 14 can comprise any general purpose computing article of manufacture capable of executing computer program code installed thereon (e.g., a personal computer, server, etc.). However, it is understood that the computing device 14 is only representative of various possible equivalent-computing devices that may perform the processes described herein. To this extent, in embodiments, the functionality provided by the computing device 14 can be implemented by a computing article of manufacture that includes any combination of general and/or specific purpose hardware and/or computer program code. In each embodiment, the program code and hardware can be created using standard programming and engineering techniques, respectively.
The computing device 14 is further in communication with an 802.11 wireless LAN (“802.11”) chip and a 3rd Generation (“3G”) chip, and/or a signal circuit 115. The 802.11 chip and the 3G chip allow the computing device 14 to communicate with other devices in an 802.11 network and a 3G cellular network, respectively. For example, data on the computing device 14 may be transferred from the memory 22A, processed via the processor 20 and any one of the chips into a signal of the corresponding standard (e.g., the 802.11 standard), and transferred to the other devices via an antenna (not shown) of the computing device 14.
The signal circuit 115 allows the computing device 14 to communicate with the other devices via the short-range, bi-directional RFID 105 including the shared memory 110. For instance, the signal circuit 115 checks for changes in voltage of an induction antenna of the RFID 105. When there is such a change, the signal circuit 115 is triggered to send an interrupt signal to the processor 20 to inform the processor 20 that the RFID 105 has received a voltage load from the induction antenna.
The RFID 105 is an integrated circuit that processes and stores data in the shared memory 110, and that receives and transmits RF signals via induction of the induction antenna. The RFID 105 is in communication with the program control 44 and/or the memory 22A to transfer data between these components. The RFID 105 is capable of reading and transferring data from the shared memory 110.
The computing device 14 further includes a random user/password generator 120. The random user/password generator 120 generates a temporary user name and a temporary password that is transferred to the shared memory 110 of the RFID 105. The shared memory 110 stores the user name and the password.
The environment 10 further includes a transceiver 125, a security server 130, and an access point 135. The transceiver 125 is a passive, bi-directional RFID chip or reader of another computing device or object. The transceiver 125 can receive and transmit RF signals to and from the RFID 105 of the computing device 14. As will be discussed herein, the transceiver 125 is a point or location where a user initiates a process of securing a connection to a wireless or cellular network to exchange secure information with at least one entity in the wireless or cellular network. In addition, the transceiver 125 is in communication with the security server 130, and signals may be transferred between the transceiver 125 and the security server 130.
The security server 130 is a server such as a RADIUS server that stores valid credentials (e.g., a username and a password) that are allowed to connect to a wireless or cellular network. The security server 130 is in communication with the transceiver 125 and the access point 135, and signals may be transferred between the security server 130 and the transceiver 125, and the security server 130 and the access point 135. In operation, for example, the security server 130 may receive a username and a password of a computing device (e.g., the computing device 14) from the transceiver 125, and grant the computing device access to a wireless or cellular network. The security server 130 may then transfer the username and the password to the access point 135 and/or inform the access point 135 that the computing device 14 has been authenticated to have access to the wireless or cellular network.
The access point 135 is a computing device or a server that provides access to a secure wireless network requiring authentication of user devices requesting access to the network. Once a user device is authenticated for access to the wireless network, the access point 135 routes data between the authenticated user device and devices on the wireless network. As discussed above, the access point 135 may also be in communication with the security server 130 to receive the username and the password of the user device and/or confirmation that the security server 130 has authenticated the user device to have access to the wireless network.
Using the environment 10 as described above, the computing device 14 may conveniently and safely establish its identity, establish connectivity with another computing device or server in a wireless network, and transmit secure information including personal data. For example, in operation, a user of the computing device 14 (e.g., a mobile device) may enter a location, such as a gas station or an amusement park, that will require various cash transactions. The user and the location may desire that these cash transactions be quick and easy, yet secure. With the computing device 14 in the environment 10 within the location, the user may walk up to a terminal including the transceiver 125. When the computing device 14 is within a range of the transceiver 125, the computing device 14 automatically initiates communication with the terminal via the RFID 105 and the transceiver 125, to begin a process of securely connecting to a wireless network of the location.
Next, the passive, bi-directional RFID of the transceiver 125 receives device data from the RFID 105 of the computing device via induction of the antenna of the RFID 105 over close proximity. In embodiments, the device data may include the temporary username and the temporary password generated by the random user/password generator 120 of the computing device 14 and stored in the shared memory 110 of the RFID 105. Alternatively, the device data may include a username and a password defined by the user via the I/O device 28. The device data may further include a geographical location of the computing device 14 determined by a Global Positioning System (GPS) chip (not shown) in the computing device 14. The location may be in, for example, units of latitude and longitude. In additional embodiments, the device data may include an 802.11 Media Access Control (MAC) address of the computing device 14 and/or an ID number of a terminal including the transceiver 125.
In embodiments, the transceiver 125 may also acknowledge receipt of the device data from the computing device 14. The transceiver 125 may return to the computing device 14 a Service Set identifier (SSID) that identifies the wireless network of the location, specifically, the access point 135. The transceiver 125 then sends device data from the computing device 14 to the security server 130, which grants the computing device 14 access to the wireless network for a fixed duration of time and stores the device data. In further embodiments, the security server 130 may be the component that returns the SSID of the access point 135 to the computing device 14 via the transceiver 125. The security sever 130 may forward the device data to the access point 135 and/or inform the access point 135 that the computing device 14 has been authenticated to have access to the wireless network. In response, the access point 135 may also grant the computing device 14 access to the wireless network.
In embodiments, to add an extra layer of security for the connection between the computing device 14 and the wireless network, the computing device 14 may prompt the user to acknowledge the initiation of the secure connection with the location for the fixed duration of time. This prompt may include, for example, an “OK” button along with a note regarding the initiation of the secure connection, and may be presented to the user via an application program interface. If the user acknowledges the initiation, then the computing device 14 may connect to the access point 135 using the provided SSID and transmit the device data to the access point 135. The prompt allows the user to verify that he or she desires to connect to the wireless network before transmitting secure information. Alternatively, the computing device 14 may automatically connect to the access point 135 without user acknowledgment, thereby making the connection and/or the transaction between the user and the wireless network completely automatic for convenience.
The access point 135 completes a secure connection or communications channel to the computing device 14 based on the received device data and/or information from the computing device 14 and/or the security server 130. For instance, the access point 135 may authenticate that a temporary username and password received from the computing device 14 matches the temporary username and password received from the security server 130 before establishing the secure connection. In embodiments, the access point 135 may assure that a device location and/or a 802.11 MAC address received from the computing device 14 matches the corresponding data received from the security server 130. In additional embodiments, the secure connection may be over SSL-encrypted communications channels to ensure a higher level of security.
As a result of this establishing of the secure connection via the security server 130 and the access point 135, the user is able to use the computing device 14 to securely perform cash transactions, such as purchasing an item. That is, the user has the ability to communicate (e.g., provide purchase information, receive purchase receipts) with the wireless network over the secure connection. In addition, the authenticating of the computing device 14 at the security server 130 and the access point 135 enhances the security of the present invention by ensuring that the computing device 14 is not switched with another mobile device and that the device data is not captured by another mobile device during the connection process. Furthermore, the present invention provides the added convenience of using the bi-directional RFID 105 and the transceiver 125 to initiate cash transactions. Once a secure connection with a wireless network is established, a user can make a purchase anywhere at a location (e.g., at various terminals including RFID transceivers within the location) without having to establish the secure connection. In embodiments, for example, the user may use the computing device 14 to purchase drinks from a vending machine, and/or to pay for lunch with an “express” line terminal.
In embodiments, once a secure connection with a wireless network is established, a user may walk up to a point of sale (POS) and enter a unique code from the POS into a user device to communicate to the POS over the existing secure connection. The POS is a location where a sale transaction occurs and may include a terminal or computing device including hardware and software. The POS is connected to a wireless network and may be accessed via an access point (e.g., 135 in FIG. 1). The POS receives the user's purchase information (e.g., credit card information) and indicates to the user that payment has been received. For example, at an auction, a user can use an existing secure connection to enter a bid from a mobile device, and the POS could validate the bid against the user's credit limit and receive the user's purchase information.
In embodiments, the computing device 14 and/or the security server 130 may set an expiration time for the temporary username and the temporary password generated by the random user/password generator 120. This forces the user to re-authenticate his or her mobile device by re-initiating the connection process with the transceiver 125 of the terminal. Advantageously, having to regenerate the username and password after they expire ensures that the username and password are not kept as a standard username and password that may be stolen, which further enhances the security of the present invention.
In embodiments, the computing device 14 can block the random generation of the username and the password for a predetermined duration of time. For example, the computing device 14 may place an expiration flag on the current username and password that prevents them from being changed for one minute. This function is important for when the computing device 14 is communicating to the transceiver 125 and allows the computing device 14 to establish the secure connection with the access point 135 without having the username and password changed in the middle of the process.
FIG. 2 shows another illustrative environment 200 for managing the processes in a cellular network in accordance with the invention. The computing device 14 includes the elements of FIG. 1, in addition to a key generator 205. The key generator 205 generates a public key for encrypting data and a private key for decrypting data. The public key and the private key may be generated and may decrypt and encrypt using, for example, the Rivest, Shamir, and Adleman (RSA) process or other cryptography processes known to those of skill in the art. The public key and the private key are transferred to the shared memory 110 of the RFID 105, and the shared memory 110 stores the public key and the private key. These keys may be stored on a keyring for the specific cellular network 210, along with the temporary username and password generated by the random user/password generator 120 that may also be stored on the keyring. This allows a user to store a username and password for use with a specific transceiver and allows the user's device to share a public key with the specific transceiver during the connection process. The shared public key can be used to encrypt data transferred between at least the specific transceiver and the user's device during later connections between the two components, for added security.
The environment 200 includes an external cellular network 210 that provides a secure connection or communications channel from the computing device to a location or another computing device within the cellular network 210. For instance, the another computing device may be a mobile device or a terminal in the cellular network 210, and the another computing device may be capable of communicating over the SSL protocol and, thus, secure, SSL-encrypted connections. The cellular network 210 may also be in communication with the security server 130 to receive the device data and/or confirmation that the security server 130 has authenticated the user device to have access to the cellular network.
Using the environment 200 as described above, the computing device 14 may conveniently and safely establish its identity, establish connectivity with another computing device or server in the cellular network 210, and transmit secure information including personal data. For example, in operation, a user of the computing device 14 (e.g., a mobile device) may enter a location including the environment 200. When the computing device 14 is within a range of the transceiver 125, the computing device 14 automatically initiates communication with the transceiver 125 via the RFID 105, to begin a process of securely connecting to a cellular network of the location.
Next, the passive, bi-directional RFID of the transceiver 125 receives the device data from the RFID 105 of the computing device via induction of the antenna of the RFID 105 over close proximity. In embodiments, the device data may include the temporary username and the temporary password and the location of the computing device 14. In the environment 200, the device data may further include the public key generated by the key generator 205 and stored in the shared memory 110 of the RFID 105. The shared public key may be used to encrypt data transferred between the components that receive the public key during later connections between the components, for added security.
In embodiments, the transceiver 125 may also acknowledge receipt of the device data from the computing device 14. The transceiver 125 may return to the computing device 14 an external Internet Protocol (IP) address of the security server 130. The computing device 14 may use this external IP address to connect to the security server 130 via the external cellular network 210. The transceiver 125 then sends device data from the computing device 14 to the security server 130, which stores the device data. The security server 130 may use the device data to grant the computing device 14 access to the cellular network 210 for a fixed duration of time.
In embodiments, the transceiver 125 may validate whether the computing device 14 is at a same location as the location received in the device data, to ensure that the computing device 14 has not moved out of the range of the transceiver 125. To perform the validation, the transceiver 125 may determine a location of the computing device 14 using a GPS chip in the transceiver 125. If the location of the computing device 14 cannot be validated, then the transceiver 125 may return a location validation failure message to the computing device 14, which then terminates the connection to the transceiver 125. If the location of computing device 14 is validated, then the connection process continues.
In embodiments, the security server 130 may be the component that returns its external IP address to the computing device 14 via the transceiver 125. The security sever 130 may forward the device data to the another device within the cellular network 210 and/or inform the another device within the cellular network 210 that the computing device 14 has been authenticated to have access to the cellular network. In further embodiments, the security server 130 may validate the location of the computing device 14 received in the device data, in addition to or in alternative of the transceiver 125.
In embodiments, to add an extra layer of security for the connection between the computing device 14 and the cellular network, the computing device 14 may prompt the user to acknowledge the initiation of the secure connection with the cellular network for the fixed duration of time. If the user acknowledges the initiation, then the computing device 14 may connect to the security server 130 via the external cellular network 210 using the provided external IP address of the security server 130, and transmit the device data to the security server 130. The security server 130 completes a secure, SSL-encrypted connection or communications channel to the computing device 14 via the cellular network 210 based on the received device data. For instance, the security server 130 may authenticate that a temporary username and password received from the computing device 14 matches the temporary username and password received from the transceiver 125 before establishing the secure connection.
Methods of Implementing Embodiments of the Invention
FIGS. 3-5 show exemplary swim lane diagrams for performing aspects of the present invention. Swim lane” diagrams may be used to show the relationship between the various “components” or “players” in the processes and to define the steps involved in the processes. The steps of FIGS. 3 and 5 may be implemented in the environment of FIG. 1, while the steps of FIG. 4 may be implemented in the environment of FIG. 2, for example.
The swim lane and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the swim lane or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or swim lane diagrams, and combinations of blocks in the block diagrams and/or swim lane diagrams, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Furthermore, the invention can take the form of a computer program product accessible from a computer-usable or computer-readable medium providing program code for use by or in connection with a computer or any instruction execution system. The software and/or computer program product can be implemented in the environment of FIG. 1 or 2. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. The medium can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation medium. Examples of a computer-readable storage medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk and an optical disk. Current examples of optical disks include compact disk-read only memory (CD-ROM), compact disc-read/write (CD-R/W) and DVD.
In particular, FIG. 3 depicts an exemplary swim lane diagram 300 for a process in a wireless network in accordance with aspects of the present invention. The swim diagram 300 includes four swim lanes 305, 310, 315, and 320. Specifically, the swim lane 305 shows actions performed by a computing device (e.g., 14 in FIG. 1), the swim lane 310 shows actions performed by a transceiver (e.g., 125), the swim lane 315 shows actions performed by a RADIUS server (e.g., a security server 130), and the swim lane 320 shows actions performed by an access point (e.g., 135).
At step 325, the process begins. This step may include, for example, the computing device being brought within a range of the transceiver to initiate the process, and the computing device sending device data including a temporary username and password to the transceiver. At step 330, the transceiver receives the device data from the computing device. At step 335, the transceiver acknowledges the receipt of the device data from the computing device.
At step 340, the transceiver returns a SSID of the access point to the computing device. At step 345, the transceiver sends the device data to the RADIUS server. At step 350, the RADIUS server grants the computing device access to the wireless network and may forward the device data to the access point. At step 355, the access point grants the computing device access to the wireless network.
At step 360, the computing device prompts the user to acknowledge the initiation of establishing a secure connection to the wireless network. At step 365, the computing device connects to the access point using the provided SSID of the access point and may send the device data to the access point for authentication and/or verification of the device data. At step 370, the access point completes the secure connection to the computing device after authenticating or verifying the device data, and as a result, the computing device can securely communicate with the wireless network.
FIG. 4 depicts another exemplary swim lane diagram 400 for a process in a cellular network in accordance with aspects of the present invention. The swim diagram 400 includes three swim lanes 405, 410, and 415. Specifically, the swim lane 405 shows actions performed by a computing device (e.g., 14 in FIG. 2), the swim lane 410 shows actions performed by a transceiver (e.g., 125), and the swim lane 415 shows actions performed by a security server (e.g., 130).
At step 420, the process begins. This step may include, for example, the computing device being brought within a range of the transceiver to initiate the process, and the computing device sending device data including a temporary username and password to the transceiver. At step 425, the transceiver receives the device data from the computing device. At step 430, the transceiver acknowledges the receipt of the device data from the computing device.
At step 435, the transceiver validates whether a location of the computing device is the same as the location received in the device data. If the location of the computing device fails this validation test, then at step 440, the computing device receives a location validation failure message from the transceiver and terminates a connection to the transceiver. If the location of the computing device fails the validation step, then at step 445, the transceiver returns to the computing device an external IP address of the security server.
At step 450, the security server receives the device data from the transceiver. At step 455, the computing device sends the device data to the transceiver via the provided external IP address of the security server. The device data is used by the security server to authenticate and establish a secure connection between the computing device and the security server over a SSL-encrypted communications channel. At step 460, the security server establishes the secure connection to the computing device based on the received device data from the transceiver and the computing device, and this process of the invention ends. This secure connection between the security server and the computing device allows for a secure connection between the computing device and the cellular network.
FIG. 5 depicts another exemplary swim lane diagram 500 for another process in a wireless network in accordance with aspects of the present invention. The swim diagram 500 includes four swim lanes 505, 510, 515, and 520. Specifically, the swim lane 505 shows actions performed by a computing device (e.g., 14 in FIG. 1), the swim lane 510 shows actions performed by a transceiver (e.g., 125), the swim lane 515 shows actions performed by a security server (e.g., 130), and the swim lane 520 shows actions performed by a POS.
At step 525, the process begins. This step may include, for example, the computing device being brought within a range of the transceiver to initiate the process, and the computing device sending device data including a temporary username and password to the transceiver. At step 530, the transceiver receives the device data from the computing device. At step 535, the transceiver acknowledges the receipt of the device data from the computing device.
At step 540, the transceiver sends the device data to the security server. At step 545, the security server returns an SSID of an access point of the wireless network for the computing device to the transceiver. At step 550, the transceiver forwards the SSID of the access point to the computing device. At step 555, the computing device sends the device data to the POS via the access point with the provided SSID for authentication and/or verification of the device data.
At step 560, the POS establishes a secure connection to the computing device via the access point with the provided SSID after authenticating and/or verifying the device data. The POS may establish the secure connection based on a previously-established SSL communications channel with the computing device. At step 565, the computing device sends purchase information (e.g., credit card information) to the POS. At step 570, the POS completes the purchase of an item. At step 575, the POS indicates to the user that payment has been received by returning a purchase receipt to the computing device. At step 580, the computing device indicates to the user that payment has been made by, for example, presenting the purchase receipt to the user via a user interface (e.g., the I/O device 28), and this process of the present invention ends.
In embodiments, a service provider, such as a Solution Integrator, could offer to perform the processes described herein. In this case, the service provider can create, maintain, deploy, support, etc., the computer infrastructure that performs the process steps of the invention for one or more customers. These customers may be, for example, any business that uses technology. In return, the service provider can receive payment from the customer(s) under a subscription and/or fee agreement and/or the service provider can receive payment from the sale of advertising content to one or more third parties.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
The corresponding structures, materials, acts, and equivalents of all means or step plus function elements in the claims, if applicable, are intended to include any structure, material, or act for performing the function in combination with other claimed elements as specifically claimed. The description of the present invention has been presented for purposes of illustration and description, but is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the invention. The embodiment was chosen and described in order to best explain the principals of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated. Accordingly, while the invention has been described in terms of embodiments, those of skill in the art will recognize that the invention can be practiced with modifications and in the spirit and scope of the appended claims.

Claims (17)

What is claimed is:
1. A system implemented in hardware, comprising:
a transceiver, a security server, and a computing device which performs the steps of:
sending, by the computing device via a first communication channel, device data including at least a username and a password to the transceiver;
sending, by the transceiver, the device data to the security server;
receiving, by the computing device via the first communication channel, an Internet Protocol (IP) address of the security server from the transceiver; and
sending, by the computing device via a second communication channel, device data to the security server based on the IP address of the security server;
establishing, by the security server, a secure connection to the computing device based on the device data received from the transceiver matching the device data received from the computing device,
wherein the computing device further comprises a random user/password generator which generates the username and the password randomly, and
wherein the computing device sets an expiration time for the username and the password, and when the expiration time is reached, the computing device regenerates another username and another password and resends the another username and the another password to the transceiver in order to re-authenticate the computing device by re-initiating a connection process with the security server.
2. The system of claim 1, wherein the computing device comprises a bidirectional radio-frequency identification (RFID) chip comprising a shared memory.
3. The system of claim 1, wherein the computing device blocks the random generation of the another username and the another password for a predetermined duration of time.
4. The system of claim 1, wherein the device data further comprises at least one of:
a geographical location of the computing device;
a Media Access Control (MAC) address of the computing device;
a identification number of the transceiver; and
a public key generated by the computing device.
5. The system of claim 1, wherein:
the computing device further comprises a key generator which generates a public key and a private key randomly; and
the computing device sends the public key to the transceiver,
the transceiver encrypts at least one of the device data and the IP address of the security server before sending the at least one of the device data and the IP address of the security server.
6. The system of claim 1, wherein the computing device sends the device data to the transceiver when the computing device is within a range of the transceiver.
7. The system of claim 1, wherein the transceiver validates a geographical location of the computing device based on the device data, and sends a location validation failure message to the computing device when the geographical location of the computing device is not validated.
8. The system of claim 1, wherein the computing device prompts a user to acknowledge an initiation of establishing the secure connection to the cellular network.
9. A computer program product comprising a non-transitory computer usable storage medium having readable program code embodied in the storage medium, the computer program product, when executed, causes a transceiver, a security server, and a computing device to perform the steps of:
sending, by the computing device via a first communication channel, device data including at least a username and a password to the transceiver;
sending, by the transceiver, the device data to the security server;
receiving, by the computing device via the first communication channel, an Internet Protocol (IP) address of the security server from the transceiver; and
sending, by the computing device via a second communication channel, device data to the security server based on the IP address of the security server;
establishing, by the security server, a secure connection to the computing device based on the device data received from the transceiver matching the device data received from the computing device,
wherein the computing device further comprises a random user/password generator which generates the username and the password randomly, and
wherein the computing device sets an expiration time for the username and the password, and when the expiration time is reached, the computing device regenerates another username and another password and resends the another username and the another password to the transceiver in order to re-authenticate the computing device by re-initiating a connection process with the security server.
10. The computer program product of claim 9, wherein the computing device comprises a bi-directional radio-frequency identification (RFID) chip comprising a shared memory.
11. The computer program product of claim 9, wherein the computing device blocks the random generation of the another username and the another password for a predetermined duration of time.
12. The computer program product of claim 11, wherein:
the computing device further comprises a key generator which generates a public key and a private key randomly; and
the computing device sends the public key to the transceiver, the transceiver encrypts at least one of the device data and the IP address of the security server before sending the at least one of the device data and the IP address of the security server.
13. The computer program product of claim 9, wherein the computing device prompts the user to acknowledge an initiation of establishing the secure connection to the cellular network.
14. The system of claim 3, wherein the predetermined duration of time is a time when the computing device is communicating to the transceiver to establish the secure connection with the security server.
15. The system of claim 1, wherein the device data further includes latitude and longitude information determined by a global positioning system (GPS) chip in the computing device.
16. The system of claim 1, wherein the first communication channel is a wireless channel that transmits and receives via radio-frequency.
17. The system of claim 1, wherein the second communication channel is a wireless channel that transmits and receives via a secure, SSL-encrypted connection.
US13/469,380 2010-11-24 2012-05-11 Wireless establishment of identity via bi-directional RFID Expired - Fee Related US9471916B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/469,380 US9471916B2 (en) 2010-11-24 2012-05-11 Wireless establishment of identity via bi-directional RFID

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US12/953,801 US9916573B2 (en) 2010-11-24 2010-11-24 Wireless establishment of identity via bi-directional RFID
US13/469,380 US9471916B2 (en) 2010-11-24 2012-05-11 Wireless establishment of identity via bi-directional RFID

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US12/953,801 Division US9916573B2 (en) 2010-11-24 2010-11-24 Wireless establishment of identity via bi-directional RFID

Publications (2)

Publication Number Publication Date
US20120222098A1 US20120222098A1 (en) 2012-08-30
US9471916B2 true US9471916B2 (en) 2016-10-18

Family

ID=46065272

Family Applications (3)

Application Number Title Priority Date Filing Date
US12/953,801 Active 2034-11-22 US9916573B2 (en) 2010-11-24 2010-11-24 Wireless establishment of identity via bi-directional RFID
US13/469,380 Expired - Fee Related US9471916B2 (en) 2010-11-24 2012-05-11 Wireless establishment of identity via bi-directional RFID
US15/848,568 Active US10115101B2 (en) 2010-11-24 2017-12-20 Wireless establishment of identity via bi-directional RFID

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US12/953,801 Active 2034-11-22 US9916573B2 (en) 2010-11-24 2010-11-24 Wireless establishment of identity via bi-directional RFID

Family Applications After (1)

Application Number Title Priority Date Filing Date
US15/848,568 Active US10115101B2 (en) 2010-11-24 2017-12-20 Wireless establishment of identity via bi-directional RFID

Country Status (1)

Country Link
US (3) US9916573B2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9916573B2 (en) * 2010-11-24 2018-03-13 International Business Machines Corporation Wireless establishment of identity via bi-directional RFID

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013100912A1 (en) * 2011-12-27 2013-07-04 Intel Corporation Systems and methods for cross-layer secure connection set up
JP5616917B2 (en) * 2012-03-14 2014-10-29 富士フイルム株式会社 Operation management system, control system, and operation control method thereof
JP5884630B2 (en) * 2012-05-14 2016-03-15 コニカミノルタ株式会社 Radiation imaging system
US20140099981A1 (en) * 2012-10-05 2014-04-10 SHC Direct, L.L.C. Method and system for communicating between a mobile device and a remote device
US20140114778A1 (en) * 2012-10-24 2014-04-24 NCR Corporation, Law Dept. Techniques for drive thru mobile ordering
US9197408B2 (en) * 2013-05-10 2015-11-24 Sap Se Systems and methods for providing a secure data exchange
DE102014012673A1 (en) 2014-08-22 2016-02-25 Wabco Gmbh Vehicle network and method for building a vehicle network
CN104967596B (en) * 2014-10-31 2018-05-22 腾讯科技(深圳)有限公司 User terminal and internet of things equipment binding, the implementation method to communicate and device
CN104967595B (en) * 2014-10-31 2019-03-01 腾讯科技(深圳)有限公司 The method and apparatus that equipment is registered in platform of internet of things
CZ306210B6 (en) * 2015-07-07 2016-09-29 Aducid S.R.O. Method of assignment of at least two authentication devices to the account of a user using authentication server
KR102411604B1 (en) 2018-03-22 2022-06-21 삼성전자주식회사 Access point and method for connecting communication with external device thereof
US11765164B2 (en) * 2019-02-26 2023-09-19 Amazon Technologies, Inc. Server-based setup for connecting a device to a local area network

Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5590038A (en) 1994-06-20 1996-12-31 Pitroda; Satyan G. Universal electronic transaction card including receipt storage and system and methods of conducting electronic transactions
WO2004071008A1 (en) * 2003-02-06 2004-08-19 Meridea Financial Software Oy Method for setting up a secure connection using public and private key generated in user terminal
US20050210243A1 (en) 2001-09-28 2005-09-22 Archard Paul L System and method for improving client response times using an integrated security and packet optimization framework
US20050257045A1 (en) 2004-04-12 2005-11-17 Bushman M B Secure messaging system
US20060123463A1 (en) 2004-12-03 2006-06-08 Yeap Tet H Security access device and method
US20060225130A1 (en) * 2005-03-31 2006-10-05 Kai Chen Secure login credentials for substantially anonymous users
US20070023508A1 (en) * 2005-01-31 2007-02-01 George Brookner Proximity validation system and method
US20070186105A1 (en) 2006-02-03 2007-08-09 Bailey Daniel V Wireless Authentication Methods and Apparatus
US20080040602A1 (en) * 2006-05-10 2008-02-14 Ndchealth Corporation Systems and methods for public-key encryption for transmission of medical information
US7340439B2 (en) 1999-09-28 2008-03-04 Chameleon Network Inc. Portable electronic authorization system and method
US20080132207A1 (en) 2003-10-17 2008-06-05 Gallagher Michael D Service access control interface for an unlicensed wireless communication system
US20080141360A1 (en) 2004-11-03 2008-06-12 Qinetiq Limited Wireless Linked Computer Communications
US20080192932A1 (en) 2005-05-20 2008-08-14 Nxp B.V. Method of Securely Reading Data From a Transponder
US20080320297A1 (en) 2007-06-22 2008-12-25 Dale Sabo Method and system for monitoring encrypted data transmissions
US7515901B1 (en) 2004-02-25 2009-04-07 Sun Microsystems, Inc. Methods and apparatus for authenticating devices in a network environment
US20090143104A1 (en) 2007-09-21 2009-06-04 Michael Loh Wireless smart card and integrated personal area network, near field communication and contactless payment system
US7570939B2 (en) 2005-09-06 2009-08-04 Apple Inc. RFID network arrangement
US7574606B1 (en) * 2000-10-24 2009-08-11 Trimble Navigation Limited Location authentication stamp attached to messages
US20100136923A1 (en) 2008-12-03 2010-06-03 Broadcom Corporation Apparatus with rfid transceiver and wireless communication module
US20100320266A1 (en) * 2009-06-23 2010-12-23 At&T Mobility Ii Llc Devices, Systems and Methods for Wireless Point-of-Sale

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB0427642D0 (en) * 2004-12-16 2005-01-19 Renovo Ltd Information collection system
US8095113B2 (en) * 2007-10-17 2012-01-10 First Data Corporation Onetime passwords for smart chip cards
US8060920B2 (en) * 2008-06-20 2011-11-15 Microsoft Corporation Generating and changing credentials of a service account
US20110088100A1 (en) * 2009-10-14 2011-04-14 Serge Rutman Disabling electronic display devices
US9916573B2 (en) * 2010-11-24 2018-03-13 International Business Machines Corporation Wireless establishment of identity via bi-directional RFID

Patent Citations (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5590038A (en) 1994-06-20 1996-12-31 Pitroda; Satyan G. Universal electronic transaction card including receipt storage and system and methods of conducting electronic transactions
US7340439B2 (en) 1999-09-28 2008-03-04 Chameleon Network Inc. Portable electronic authorization system and method
US7574606B1 (en) * 2000-10-24 2009-08-11 Trimble Navigation Limited Location authentication stamp attached to messages
US20050210243A1 (en) 2001-09-28 2005-09-22 Archard Paul L System and method for improving client response times using an integrated security and packet optimization framework
WO2004071008A1 (en) * 2003-02-06 2004-08-19 Meridea Financial Software Oy Method for setting up a secure connection using public and private key generated in user terminal
US20080132207A1 (en) 2003-10-17 2008-06-05 Gallagher Michael D Service access control interface for an unlicensed wireless communication system
US7515901B1 (en) 2004-02-25 2009-04-07 Sun Microsystems, Inc. Methods and apparatus for authenticating devices in a network environment
US20050257045A1 (en) 2004-04-12 2005-11-17 Bushman M B Secure messaging system
US20080141360A1 (en) 2004-11-03 2008-06-12 Qinetiq Limited Wireless Linked Computer Communications
US20060123463A1 (en) 2004-12-03 2006-06-08 Yeap Tet H Security access device and method
US7287693B2 (en) 2005-01-31 2007-10-30 Neopost Technologies S.A. Proximity validation system and method
US20070023508A1 (en) * 2005-01-31 2007-02-01 George Brookner Proximity validation system and method
US7661128B2 (en) 2005-03-31 2010-02-09 Google Inc. Secure login credentials for substantially anonymous users
US20060225130A1 (en) * 2005-03-31 2006-10-05 Kai Chen Secure login credentials for substantially anonymous users
US20080192932A1 (en) 2005-05-20 2008-08-14 Nxp B.V. Method of Securely Reading Data From a Transponder
US7570939B2 (en) 2005-09-06 2009-08-04 Apple Inc. RFID network arrangement
US20070186105A1 (en) 2006-02-03 2007-08-09 Bailey Daniel V Wireless Authentication Methods and Apparatus
US20080040602A1 (en) * 2006-05-10 2008-02-14 Ndchealth Corporation Systems and methods for public-key encryption for transmission of medical information
US20080320297A1 (en) 2007-06-22 2008-12-25 Dale Sabo Method and system for monitoring encrypted data transmissions
US20090143104A1 (en) 2007-09-21 2009-06-04 Michael Loh Wireless smart card and integrated personal area network, near field communication and contactless payment system
US20100136923A1 (en) 2008-12-03 2010-06-03 Broadcom Corporation Apparatus with rfid transceiver and wireless communication module
US20100320266A1 (en) * 2009-06-23 2010-12-23 At&T Mobility Ii Llc Devices, Systems and Methods for Wireless Point-of-Sale

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Office Action for U.S. Appl. No. 12/953,801 dated Sep. 5, 2012.

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9916573B2 (en) * 2010-11-24 2018-03-13 International Business Machines Corporation Wireless establishment of identity via bi-directional RFID
US10115101B2 (en) * 2010-11-24 2018-10-30 International Business Machines Corporation Wireless establishment of identity via bi-directional RFID

Also Published As

Publication number Publication date
US9916573B2 (en) 2018-03-13
US20180114214A1 (en) 2018-04-26
US20120130902A1 (en) 2012-05-24
US20120222098A1 (en) 2012-08-30
US10115101B2 (en) 2018-10-30

Similar Documents

Publication Publication Date Title
US10115101B2 (en) Wireless establishment of identity via bi-directional RFID
JP7204705B2 (en) Validation of online access to secure device functions
RU2665869C2 (en) Systems and methods for linking devices to user accounts
CN109219951B (en) Multi-level communication encryption
US8429086B2 (en) System for location based transaction security
JP6092415B2 (en) Fingerprint authentication system and fingerprint authentication method based on NFC
JP6482601B2 (en) Management of secure transactions between electronic devices and service providers
US20190251561A1 (en) Verifying an association between a communication device and a user
US20150066778A1 (en) Digital card-based payment system and method
US11132664B2 (en) Securing contactless payment performed by a mobile device
EP2182493A1 (en) Remote user authentication using NFC
US20040107170A1 (en) Apparatuses for purchasing of goods and services
US20220131845A1 (en) Decentralized Processing Of Interactions On Delivery
CN113286303A (en) Managing scheduled credentials on an electronic device
US11296862B2 (en) Provisioning method and system with message conversion
US8819431B2 (en) Methods and device for electronic entities for the exchange and use of rights
KR101710950B1 (en) Method for distributing encrypt key, card reader and system for distributing encrypt key thereof
KR101395315B1 (en) Near field communication based payment security authentication system and security authentication method thereof
JP7461564B2 (en) Secure end-to-end pairing of secure elements with mobile devices
JP6278290B1 (en) Authentication method
KR20160093194A (en) Method for Processing Two Channel Payment by using Contactless Media
KR101603684B1 (en) Method for authentication using user apparatus, digital system, user apparatus, and authentication system thereof
KR20180040869A (en) Method for processing payment, potable terminal and payment system thereof
Sjökran et al. Mobile wallet payment solution
KR20150088571A (en) Method for authentication using user apparatus, digital system, user apparatus, and authentication system thereof

Legal Events

Date Code Title Description
STCF Information on status: patent grant

Free format text: PATENTED CASE

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Expired due to failure to pay maintenance fee

Effective date: 20201018